How-To build and configure mod_authz_ldap to do AuthZ for Cosign AuthN -------------------- 1) download and build openldap: (libraries and tools, no server ) http://www.openldap.org/software/download/ build: ./configure --enable-bdb=no --enable-slapd=no --prefix=/usr/local/openldap-2.1.21 ( i haven't tried the latest version yet, but there's no reason it shouldn't work ) 2) download, patch and build mod_authz_ldap: ( http://authzldap.othello.ch/download.html ) 2b) patch - this option adds an additional AuthMethod, called "basic." It trusts that something compatible with BasicAuth has already done AuthN. Apply this file, which contains a patch at the bottom. cd into the top level of the src directory first. % cd ~/src/mod_authz_ldap-0.26 % patch -p1 < ~/mod_authz_ldap-NOTES.txt 2c) adjust your paths as necessary env CC=gcc LDFLAGS="-L/usr/local/openldap-2.1.21/lib" \ CFLAGS="-I/usr/local/openldap-2.1.21/include" \ ./configure --with-openssl-path=/usr/local/openssl \ --with-apxs=/usr/local/apache/bin/apxs 3) make install 4) edit your httpd.conf: IMPORTANT! mod_authz_ldap must be loaded *AFTER* mod_cosign, otherwise some very bad, bad things will happen. :) #this path will vary based on where you house your .so #mod_cosign must go first! LoadModule cosign__module libexec/mod_cosign.so LoadModule authz_ldap_module libexec/mod_authz_ldap.so AllowOverride AuthConfig Limit AuthType Cosign AuthzLDAPMethod basic AuthzLDAPServer ldap.itd.umich.edu AuthzLDAPProtocolVersion 3 AuthzLDAPUserBase ou=People,dc=umich,dc=edu AuthzLDAPUserScope base AuthzLDAPUserKey uid AuthzLDAPGroupBase "ou=User Groups,ou=Groups,dc=umich,dc=edu" AuthzLDAPGroupScope subtree AuthzLDAPGroupkey cn AuthzLDAPSetGroupAuth ldapdn AuthzLDAPRoleAttributeName "ou" 5) use .htaccess, Location or Directory directives. They can be either: #if there are spaces in the name, quote 'em. AuthType Cosign require role "* Student" #or require group "cosign codesign" diff -r -c mod_authz_ldap-0.26/module/auth.c mod_authz_ldap-0.26-UMICH/module/auth.c *** mod_authz_ldap-0.26/module/auth.c Wed Mar 31 00:15:37 2004 --- mod_authz_ldap-0.26-UMICH/module/auth.c Wed Nov 2 17:03:10 2005 *************** *** 159,164 **** --- 159,166 ---- } AUTHZ_DEBUG3("[%d] authentication dn: %s", (int)getpid(), dn); + if ((sec->method & AUTHMETHOD_BASIC) == 0) { + /* now we know the DN of the user, bind as that user */ res = ap_get_basic_auth_pw(r, (const char **)&pw); if (res) return res; *************** *** 205,210 **** --- 207,214 ---- } AUTHZ_DEBUG3("[%d] bind for %s succeeds", (int)getpid(), dn); + } + /* remember the user distinguished name */ authz_ldap_set_userdn(r, dn); *************** *** 301,306 **** --- 305,313 ---- } AUTHZ_DEBUG2("[%d] going to request additional LDAP " "credentials", (int)getpid()); + } else if (sec->method & AUTHMETHOD_BASIC) { + AUTHZ_DEBUG3("[%d] trusting basic auth for %s", + (int)getpid(), USER(r)); } else { try_password: AUTHZ_DEBUG2("[%d] working with basic authentication", diff -r -c mod_authz_ldap-0.26/module/mod_authz_ldap.h mod_authz_ldap-0.26-UMICH/module/mod_authz_ldap.h *** mod_authz_ldap-0.26/module/mod_authz_ldap.h Wed Mar 31 00:15:38 2004 --- mod_authz_ldap-0.26-UMICH/module/mod_authz_ldap.h Wed Nov 2 17:04:52 2005 *************** *** 52,58 **** #define ldap_memfree free #endif ! module MODULE_VAR_EXPORT authz_ldap_module; #define AUTHZ_AUTH 0 #define AUTHZ_PROXY 1 --- 52,58 ---- #define ldap_memfree free #endif ! extern module MODULE_VAR_EXPORT authz_ldap_module; #define AUTHZ_AUTH 0 #define AUTHZ_PROXY 1 *************** *** 61,66 **** --- 61,67 ---- #define AUTHMETHOD_NONE 0 #define AUTHMETHOD_CERT 1 #define AUTHMETHOD_LDAP 2 + #define AUTHMETHOD_BASIC 4 #define AUTHMETHOD_BOTH (AUTHMETHOD_CERT | AUTHMETHOD_LDAP) #define AUTHHEADER_NONE 0 diff -r -c mod_authz_ldap-0.26/module/modconf.c mod_authz_ldap-0.26-UMICH/module/modconf.c *** mod_authz_ldap-0.26/module/modconf.c Tue Mar 30 18:35:50 2004 --- mod_authz_ldap-0.26-UMICH/module/modconf.c Wed Nov 2 17:03:10 2005 *************** *** 241,246 **** --- 241,250 ---- sec->method = AUTHMETHOD_BOTH; return NULL; } + if (0 == strcasecmp(arg, "basic")) { + sec->method = AUTHMETHOD_BASIC; + return NULL; + } return "unknown authentication method"; }